jQuery自动转义ajax [英] jQuery is automatically escaping ajax
问题描述
我使用jQuery检查用户名是否被使用。我的问题是 $。post
似乎逃避任何东西。例如,我使用这个:
I'm using jQuery to check to see if a username is taken. My issue is that $.post
seems to escape anything. For example, I use this:
$.post("http://mywebsite.com/check_username.php", {
"username": $("#username_txt").val()
}, function(data, textstatus, xmlhttp){
// do stuff
});
将用户名发送到页面 check_username.php
,大致是
to send the username to the page check_username.php
, which is roughly,
$username = mysql_real_escape_string($_POST["username"]);
echo $username; // show the perceived username
echo mysql_query("SELECT * FROM users WHERE username=\"".$username."\";") === false ? 1 : 0;
如果输入字段中的用户名为bob
(带引号),数据的返回值将为 \\\bob \\\0
。没有mysql_real_escape_string,它读取 \bob\
。如果我敢这样离开,那么潜在的攻击者可以轻松地将SQL代码注入我的应用程序。
If the username in the input field is "bob"
(with the quotation marks), the return from the data will be \\\"bob\\\"0
. Without the mysql_real_escape_string, it reads \"bob\"
. If I dare to leave it like that, then potential attackers could easily inject SQL code into my application.
我没有看到任何关于jQuery文档的get和post关于这个,所以我不知道如何阻止这一点。禁止不使用jQuery作为我的ajax,我该如何解决?
I haven't seen anything on the jQuery documentation on get and post about this, so I'm not sure how to stop this. Barring not using jQuery for my ajax, how do I fix this?
推荐答案
你必须要剥离 魔术报价,PHP自动添加到$ _GET,$ _POST和$ _COOKIE数据。如果所有PHP代码在将其插入HTML,SQL,命令行等之前正确转义字符串,则可以禁用该不推荐使用的功能。
You'll have to strip out the magic quotes that PHP automatically adds to $_GET, $_POST, and $_COOKIE data. That deprecated feature can be disabled if all your PHP code properly escapes strings before inserting them into HTML, SQL, command lines, etc.
这篇关于jQuery自动转义ajax的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!